Step 4: Configure the Firewall

Before you begin

• Ensure that the MOVEit Transfer Server and the Gateway Server were successfully installed and configured.

Notes

• The MOVEit Transfer public rule to block all public incoming connections is recommended to block any other rules the user may have set up, possibly including by the MOVEit Transfer installer. "Block" rules take precedence over "Allow" rules.
• Internal users will be able to access MOVEit Transfer directly if there is a second interface that is marked as private by Windows. Note that network interfaces, including the one used to connect to Gateway, are created as public by default in Windows. So the customer would have to go out of their way to mark the second interface (if any) as private. Incoming connections through the tunnel are regarded as private.

Step 1: Gateway Server Firewall Rules

Note: The examples shown below were created using the Windows Firewall with Advanced Security. If using a generic (non-Windows) firewall, see Generic Firewall Rules.

1. Create public network inbound port rules to allow incoming connections for the following ports:
   1. Port 21 (FTPS Explicit)
   2. Port 22 (SSH/SFTP)
   3. Port 443 (HTTPS)
   4. Port 2443 (HTTPS with client certificates)
   5. Port 80 (HTTP)
   6. Port 990 (FTPS Implicit)
   7. Ports 4000-4100 (FTPS Data)
   8. Port 10022 (SSH Tunnel)

   

2. Under the Scope tab, modify the Remote IP Address for port 10022 to only allow connections from the MOVEit Transfer server IP address (for example, 192.168.196.237).

   

3. Verify that the firewall state is enabled for public network locations.

   

Step 2: MOVEit Transfer Server Firewall Rules

1. Modify the pre-defined inbound port rules for the following ports and set them to only apply to the private network profile.

   Note: Unless you need access from other internal networks, you can disable the following firewall rules.

   1. MOVEit DMZ FTP
   2. MOVEit DMZ SSH
   3. World Wide Web Services (HTTP Traffic-In)
   4. World Wide Web Services (HTTPS Traffic-In)

      

      

      

2. Create a new public network inbound port rule to block incoming connections for all ports:

   

3. Verify that the firewall state is enabled for both public and private network locations.

   

Step 3: Verify Firewall Rules

Test 1:

1. Open a web browser on the Gateway server and try to connect to the MOVEit Transfer server IP address.

   Note: If the firewall rules have been correctly defined, the connection to the MOVEit Transfer server IP address should time out.

   

   Test 2:

2. Open a web browser on the Gateway server and try to connect to the Gateway server IP address.

   Note: If the firewall rules have been correctly defined, the connection to the MOVEit Transfer server IP address should succeed.